Effective Security Alert Triage

Effective Security Alert Triage

Most security operation centers face an overwhelming number of security alerts every day. Limited resources make it impossible to investigate them all, and most warnings are inaccurate false positives. Effective security alert triage – the process of quickly and accurately determining the severity of a threat – is a must-have component for every organization. It’s imperative that analysts are able to immediately prioritize a seemingly endless stream of alerts and correctly differentiate between benign and dangerous situations.

The term “triage” originated in the battlefields of France. According to the U.S. National Library of Medicine, Napoleon’s chief surgeon, facing a large number of casualties with limited resources to care for them, devised a method of sorting the wounded into three categories:

Those that would likely live regardless of what medical attention they received

Those that were unlikely to live regardless of what care they received

Those for whom immediate care might make a positive difference in outcome

Napoleon’s doctors called this process “triage” and used it to achieve maximum utilization of available resources. The term is still used by emergency response teams today, and triage training is as important as ever.

Cybersecurity Triage

The principles of triage apply not only to the medical profession but also to data security incidents. Like Napoleon’s surgeons, security analysts are constantly overwhelmed with more incidents than they can possibly attend to. It’s critical that analysts quickly differentiate between security alerts that are actual threats to the organization, and those that aren’t.

How can frequently overworked and under-resourced security teams efficiently engage in cybersecurity triage? How can the security staff accurately and quickly determine which alerts require their immediate attention, and which ones the team can safely ignore?

The answer to this question lies in the speed and accuracy of their tools. It boils down to how well and how fast the organization’s security system can deliver a complete-enough picture of the developing situation. The tools need to provide clear and concise information to analysts, enabling them to quickly assess each alert, categorize it along the lines of high, low, or no risk, and prioritize resources accordingly.

Unfortunately, most security tools fail to do a good job at this. They generate a lot of individual alerts, but the tools lack the ability to develop any real insight or granularity, so the alerts are vague and of little actionable value. It’s impossible for analysts to determine which alerts are the most urgent.

Typically, security dashboards are covered in red, presenting analysts with long lists of alerts that say something like “malware binary.” But when an analyst clicks on one of these binaries to learn what to do, they are often simply told that “malicious behavior was detected” and to consult a security expert. That’s not particularly helpful because presumably, the analyst is the security expert.

The only thing such tools tell an analyst is that there are a bunch of incidents that could be bad. There is no clear picture and no priority. In the vast majority of cases, the analyst doesn’t know what the program in question actually did. Was it ransomware? Did it steal data? Did it create a botnet or a backdoor? Was it designed to move laterally to infect additional hosts? Ultimately, to determine and understand what the program did, the analyst must often study literally hundreds of pages of logs showing loosely related or even unrelated fragments of information. It takes tremendous skill and many hours or even days to put the puzzle together. This clearly won’t do for triaging security alerts.

Effective Security Alert Triage

While not a full investigation, cybersecurity triage is an essential first step. It’s faster and simpler than a complete incident response and is the very key to prioritizing more thorough investigations.

To effectively facilitate the triage process, the organization’s security tools must accurately determine for the analyst what the program, file, or link was designed to actually do or has already done, such as:

A ransom note was generated and the program encrypted data

Private or sensitive data was transmitted outside of the organization

Login credentials were stolen

Communication was observed (or attempted) with a malicious command and control server

The program used specific techniques to try to evade detection

User accounts were accessed by someone other than the account owner or authorized administrator

User accounts were added or modified to have administrator privileges

A backdoor was established

The program installed malware, unauthorized tools, or a botnet

System or other programs were modified

The program modified the system’s start-up procedures

Armed with details such as those listed above, the breach detection system can automatically and rapidly generate an accurate risk score that is much more granular than simply “good” or “bad.” The details of how the system calculates the score is not necessary for triage. At this point, the analyst is focused solely on efficiently sorting and prioritizing the alerts.

Tools Make the Difference in Effective Security Alert Triage

When you’re looking to upgrade cybersecurity systems, focus on products that can efficiently support the triage process. Unfortunately, as stated above, most products don’t. To further illustrate this point, one need only examine the information generated by most threat detection products. Each quarter, Lastline receives tens of millions of “unknown objects” from our customers and partners that require analysis. We receive these submissions only after other security tools such as firewalls and secure web or email gateways have scanned them. In most cases, the only information these security tools provide about the objects are labels like “filerepmalware” or “trojan.generic.” This is clearly not good enough to perform effective triage. [NOTE: For more information about threats that commonly slip through traditional security tools and the limited information they provide about objects that they do evaluate, see Lastline’s Q4 2017 Malscape Monitor Report.

To summarize, as part of a complete cybersecurity defense, it’s essential for every organization to efficiently perform security alert triage, utilizing tools that automate the process. Without such tools, security teams will be directionless, overwhelmed, and will likely miss dangerous threats.

Currently on leave from his position as Professor of Computer Science at UC Santa Barbara, Christopher Kruegel’s research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security, and intrusion detection. Christopher previously served on the faculty of the Technical University Vienna, Austria. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. He regularly serves on program committees of leading computer security conferences. Christopher was the Program Committee Chair of the Usenix Workshop on Large Scale Exploits and Emergent Threats (LEET, 2011), the International Symposium on Recent Advances in Intrusion Detection (RAID, 2007), and the ACM Workshop on Recurring Malcode (WORM, 2007). He was also the head of a working group that advised the European Commission (EC) on defenses to mitigate future threats against the Internet and Europe's cyber-infrastructure.